Q1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command) Review the PowerShell history file: ConsoleHost_history.txt Look for commands related to NuGet package installation. Identify the full command used to install the package. Q2: Identify the URL from which the package was downloaded ? Examine the web browsing history on the system. Locate the URL used to download the NuGet package. ...
Q1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command) Review the PowerShell history file: ConsoleHost_history.txt Look for commands related to NuGet package installation. Identify the full command used to install the package. Q2: Identify the URL from which the package was downloaded ? Examine the web browsing history on the system. Locate the URL used to download the NuGet package. ...
Q1: Analyzing Domain Controller Security Logs Can you confirm the date and time when the Kerberoasting activity occurred? Open Event Viewer on the Windows VM and search for Event ID 4769. 🕒 Remember to convert your local time to UTC. Q2: Targeted Service Name What is the Service Name that was targeted? Check the “Service Information” section of the same event: Q3: Workstation Identification Identify the Workstation IP Address from which the activity originated. ...
Q1: When did the AS-REP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user? Open Event Viewer on the Windows VM and search for Event ID 4768. Look for anomalies in the logs — specifically events where: Pre-Authentication Type: 0 This indicates that the account does not require Kerberos pre-authentication, making it vulnerable to AS-REP Roasting. 🕒 Remember to convert the timestamp to UTC when documenting your findings. ...
Q1: Attackers can abuse the vssadmin utility to create volume shadow snapshots and then extract sensitive files like NTDS.dit to bypass security mechanisms. Identify the time when the Volume Shadow Copy service entered a running state. Open the SYSTEM.evtx log and search for Event ID 7036. Look for events indicating the Volume Shadow Copy service entering a running state: 🕒 Convert the timestamp to UTC. Q2: When a volume shadow snapshot is created, the Volume shadow copy service validates the privileges using the Machine account and enumerates User groups. Find the User groups it enumerates, the Subject Account name, and also identify the Process ID(in decimal) of the Volume shadow copy service process Search for Event ID 4799 and filter for: ...